Google Begins Phase One Of Symantec Distrust On Chrome

Earlier this year, developers from the Chromium project announced the roadmap detailing Chrome’s plan to distrust Symantec-issued TLS certificates issued before June 1, 2016. The nearly two-year long blueprint was spawned when a Mozilla Developer forum post revealed some suspicious authentication certificates that were issued by one or more of Symantec’s CA (certification authority) child companies.

Long story short, Symantec was found to be allowing certain organizations to issue their own security certificates by circumventing the required procedures laid out by the CA Industry guidelines. This resulted in the Chrome teams decision to being the long process of distrusting the certificates issued by Symantec and its brand companies.

This week, the first signs of these plans have turned up in the Chromium repositories. The commit is titled as follows:

Implement the first phase of Symantec Distrust

The update spells out the first steps that will be taken when the Symantec distrust actions are put into effect.

DigiCert Global Root G2 and DigiCert Global Root G3 are treated as independently operated sub-CAs, as they were CAs already trusted on Chrome and Android, despite having been recently cross-signed by the legacy Symantec infrastructure. Their audits remain unchanged, and they are exempt from the CT requirement specific to Symantec.

DigiCert Transition RSA Root and DigiCert Transition ECC Root (https://crt.sh/?id=250864681) are treated as Managed Sub-CAs, subject to the Managed Partner Infrastructure policies. In particular, all certificates from these CAs are required to be “CT Qualified” in order to be trusted

All new certificates issued from the legacy Symantec infrastructure – excluding those CAs above and the pre-existing independent sub-CAs – issued after 2017-12-01 are not trusted.

Control over CT requirements uses the existing TransportSecurityState delegate methods.

Control over the phased trust status is expressed as a CertVerifier::Verify() flag.

Control over the CertVerifier::Verify() flag is exposed to the SSLConfig, and by proxy, the SSLConfigService.

The timeline for the update have been etched out in the Google Online Security blog and the first phase is scheduled to begin rolling out to Chrome Beta 66 on or around March 15, 2018. Site administrators will need to replace any Symantec certificates issued prior to June 1, 2016, with new ones trusted by Chrome. Read more about Certificate Transparency here.

The long-term timeline for these updates is slated to come to completion in Septemeber of next year when Chrome Beta 70 is released and all certificates from Symantec’s legacy infrastructure are “not trusted” by Chrome. According to Symantec’s security blog, DigiCert would be acquiring their PKI solutions and be handling updates to certificates beginning December 1, 2017.

About Gabriel Brangers

Lover of all things coffee. Foodie for life. Passionate drummer, hobby guitar player, Web designer and proud Army Veteran. I have come to drink coffee and tell the world of all things Chrome. "Whatever you do, Carpe the heck out of that Diem" - Roman poet, Horace. Slightly paraphrased.